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A  Comparison  of  ISO  9001  and  the  Capability 
Maturity  Model  for  Software 


Abstract:  The  Capability  Maturity  Model  for  Software  (CMM),  developed  by  the 
Software  Engineering  Institute,  and  the  ISO  9000  series  of  standards,  developed 
by  the  International  Standards  Organization,  share  a  common  concern  with  quality 
and  process  management.  The  two  are  driven  by  similar  concerns  and  intuitively 
correlated.  The  purpose  of  this  report  is  to  contrast  the  CMM  and  ISO  9001, 
showing  both  their  differences  and  their  similarities.  The  results  of  the  analysis 
indicate  that,  although  an  ISO  9001 -compliant  organization  would  not  necessarily 
satisfy  all  of  the  level  2  key  process  areas,  it  would  satisfy  most  of  the  level  2  goals 
and  many  of  the  level  3  goals.  Because  there  are  practices  in  the  CMM  that  are 
not  addressed  in  ISO  9000,  it  is  possible  for  a  level  1  organization  to  receive  ISO 
9001  registration;  similarly,  there  are  areas  addressed  by  ISO  9001  that  are  not 
addressed  in  the  CMM.  A  level  3  organization  would  have  little  difficulty  in 
obtaining  ISO  9001  certification,  and  a  level  2  organization  would  have  significant 
advantages  in  obtaining  certification. 


1  Introduction 

The  Capability  Maturity  Model  for  Software,  developed  by  the  Software  Engineering 
Institute,  and  the  ISO  9000  series  of  standards,  developed  by  the  International  Standards 
Organization,  share  a  common  concern  with  quality  and  process  management.  The  two  are 
driven  by  similar  concerns  and  intuitively  correlated. 

The  specific  standard  in  the  ISO  9000  series  of  concern  to  software  organizations  is  ISO 
9001 .  The  questions  frequently  asked  include: 

•  At  what  level  in  the  CMM  would  an  ISO  9001 -compliant  organization  be? 

•  Can  a  level  2  (or  3)  organization  be  considered  compliant  with  ISO  9001  ? 

•  Should  my  software  quality  management  and  process  improvement  efforts  be  based 
on  ISO  9001  or  on  the  CMM? 

The  purpose  of  this  report  is  to  compare  the  CMM  and  ISO  9001 ,  identify  their  differences 
and  similarities,  and  answer  these  questions.  This  report  should  be  useful  to  anyone 
embarking  on  a  software  process  improvement  program  where  ISO  9001  certification  is  an 
important  issue  in  their  business  environment.  Even  if  the  CMM  is  not  used  as  the  basis  for 
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the  improvement  program,  it  provides  significant  guidance  over  and  above  that  offered  by 
ISO  9001,  ISO  9000-3,  or  TickIT  for  implementing  an  ISO  9001 -compliant  software  process. 

Chapter  2  of  this  report  contains  a  brief  overview  of  the  CMM.  Chapter  3  contains  a  brief 
overview  of  the  ISO  9000  family  of  standards  as  relevant  to  software.  Chapter  4  is  a  clause- 
by-clause  discussion  of  ISO  9001  and  how  it  relates  to  the  CMM.  Chapter  5  contrasts  ISO 
9001  and  the  CMM;  in  particular,  it  provides  a  key  process  area  profile  for  an  ISO  9001- 
compliant  organization.  Appendix  A  provides  a  detailed  mapping  between  ISO  9001  and 
the  CMM;  Appendix  B  does  likewise  for  ISO  9000-3.  Appendix  C  contains  a  summation  of 
Appendices  A  and  B  at  the  clause  level.  Appendix  D  summarizes  the  practices  in  the  CMM 
and  how  (or  whether)  they  are  addressed  by  ISO  9001 . 
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2  The  Capability  Maturity  Model  for  Software 

The  Capability  Maturity  Model  for  Software  [Paulk93a,  Paulk93b]  describes  the  principles 
and  practices  underlying  software  process  maturity  and  is  intended  to  help  software 
organizations  improve  the  maturity  of  their  software  processes  in  terms  of  an  evolutionary 
path  from  ad  hoc,  chaotic  processes  to  mature,  disciplined  software  processes.  The  CMM 
is  organized  into  five  maturity  levels.  A  maturity  level  is  a  well-defined  evolutionary  plateau 
toward  achieving  a  mature  software  process.  Each  maturity  level  provides  a  layer  in  the 
foundation  for  continuous  process  improvement. 

2.1  The  Five  Maturity  Levels 

The  following  characterizations  of  the  five  maturity  levels  highlight  the  primary  process 
changes  made  at  each  level: 


1)  Initial 


2)  Repeatable 


3)  Defined 


4)  Managed 


5)  Optimizing 


The  software  process  is  characterized  as  ad  hoc,  and 
occasionally  even  chaotic.  Few  processes  are  defined,  and 
success  depends  on  individual  effort  and  heroics. 

Basic  project  management  processes  are  established  to  track 
cost,  schedule,  and  functionality.  The  necessary  process 
discipline  is  in  place  to  repeat  earlier  successes  on  projects  with 
similar  applications. 

The  software  process  for  both  management  and  engineering 
activities  is  documented,  standardized,  and  integrated  into  a 
standard  software  process  for  the  organization.  All  projects  use 
an  approved,  tailored  version  of  the  organization's  standard 
software  process  for  developing  and  maintaining  software. 

Detailed  measures  of  the  software  process  and  product  quality 
are  collected.  Both  the  software  process  and  products  are 
quantitatively  understood  and  controlled. 

Continuous  process  improvement  is  enabled  by  quantitative 
feedback  from  the  process  and  from  piloting  innovative  ideas 
and  technologies. 


2.2  Key  Process  Areas 

Except  for  level  1 ,  each  maturity  level  is  decomposed  into  several  key  process  areas  that 
indicate  the  areas  an  organization  should  focus  on  to  improve  its  software  process.  Key 
process  areas  identify  the  issues  that  must  be  addressed  to  achieve  a  maturity  level.  Each 
key  process  area  identifies  a  cluster  of  related  activities  that,  when  performed  collectively, 
achieve  a  set  of  goals  considered  important  for  enhancing  process  capability.  The  key 
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process  areas  and  their  purposes  are  listed  below.  The  name  of  each  key  process  area  is 
followed  by  its  two-letter  abbreviation. 

By  definition  there  are  no  key  process  areas  for  level  1 . 

The  key  process  areas  at  level  2  focus  on  the  software  project's  concerns  related  to 
establishing  basic  project  management  controls,  as  summarized  below: 

Requirements  Establish  a  common  understanding  between  the  customer  and 

Management  (RM)  the  software  project  of  the  customer's  requirements  that  will  be 
addressed  by  the  software  project. 

Software  Establish  reasonable  plans  for  performing  the  software 

Project  Planning  engineering  and  for  managing  the  software  project. 

(PP) 

Software  Project  Establish  adequate  visibility  into  actual  progress  so  that 
Tracking  and  management  can  take  effective  actions  when  the  software 

Oversight  (PT)  project's  performance  deviates  significantly  from  the  software 

plans. 

Software  Select  qualified  software  subcontractors  and  manage  them 

Subcontract  effectively. 

Management  (SM) 

Software  Quality  Provide  management  with  appropriate  visibility  into  the  process 
Assurance  (QA)  being  used  by  the  software  project  and  of  the  products  being 

built. 

Software  Establish  and  maintain  the  integrity  of  the  products  of  the 

Configuration  software  project  throughout  the  project's  software  life  cycle. 

Management  (CM) 


The  key  process  areas  at  level  3  address  both  project  and  organizational  issues,  as  the 
organization  establishes  an  infrastructure  that  institutionalizes  effective  software  engineering 
and  management  processes  across  all  projects,  as  summarized  below: 


Organization  Establish  the  organizational  responsibility  for  software 


Process  Focus  (PF) 


process  activities  that  improve  the  organization's  overall 
software  process  capability. 
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Organization 
Process  Definition 
(PD) 


Develop  and  maintain  a  usable  set  of  software  process 
assets  that  improve  process  performance  across  the 
projects  and  provide  a  basis  for  cumulative,  long-term 
benefits  to  the  organization. 


Training  Program 
(TP) 


Develop  the  skills  and  knowledge  of  individuals  so  they  can 
perform  their  roles  effectively  and  efficiently. 


Integrated  Software  Integrate  the  software  engineering  and  management 
activities  into  a  coherent,  defined  software  process  that  is 
Management  (IM)  tailored  from  the  organization's  standard  software  process 
and  related  process  assets. 


Software  Product 
Engineering  (PE) 


Consistently  perform  a  well-defined  engineering  process 
that  integrates  all  the  software  engineering  activities  to 
produce  correct,  consistent  software  products  effectively 
and  efficiently. 


Intergroup 
Coordination  (1C) 


Establish  a  means  for  the  software  engineering  group  to 
participate  actively  with  the  other  engineering  groups  so  the 
project  is  better  able  to  satisfy  the  customer's  needs 
effectively  and  efficiently. 


Peer  Reviews  (PR)  Remove  defects  from  the  software  work  products  early  and 
efficiently.  An  important  corollary  effect  is  to  develop  a 
better  understanding  of  the  software  work  products  and  of 
the  defects  that  can  be  prevented. 


The  key  process  areas  at  level  4  focus  on  establishing  a  quantitative  understanding  of  both 
the  software  process  and  the  software  work  products  being  built,  as  summarized  below: 


Quantitative  Control  the  process  performance  of  the  software  project 

Process  quantitatively. 

Management  (QP) 


Software  Quality  Develop  a  quantitative  understanding  of  the  quality  of  the 
Management  (QM)  project's  software  products  and  achieve  specific  quality 
goals. 


The  key  process  areas  at  level  5  cover  the  issues  that  both  the  organization  and  the  projects 
must  address  to  implement  continuous  and  measurable  software  process  improvement,  as 
summarized  below: 
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Defect  Prevention  Identify  the  causes  of  defects  and  prevent  them  from 
(DP)  recurring. 

Technology  Change  Identify  beneficial  new  technologies  (i.e.,  tools,  methods, 
Management  (TM)  and  processes)  and  transfer  them  into  the  organization  in 
an  orderly  manner. 

Process  Change  Continually  improve  the  software  processes  used  in  the 
Management  (PC)  organization  with  the  intent  of  improving  software  quality, 

increasing  productivity,  and  decreasing  the  cycle  time  for 
product  development. 


2.3  Common  Features 

For  convenience,  each  of  the  key  process  areas  is  organized  by  common  features.  The 
common  features  are  attributes  that  indicate  whether  the  implementation  and 
institutionalization  of  a  key  process  area  is  effective,  repeatable,  and  lasting.  The  five 
common  features,  followed  by  their  two-letter  abbreviations,  are  listed  below: 

Commitment  to  Describes  the  actions  the  organization  must  take  to  ensure 

Perform  (CO)  that  the  process  is  established  and  will  endure.  Includes 

practices  on  policy  and  leadership. 

Ability  to  Perform  Describes  the  preconditions  that  must  exist  in  the  project  or 

(AB)  organization  to  implement  the  software  process 
competently.  Includes  practices  on  resources, 
organizational  structure,  training,  and  tools. 

Activities  Performed  Describes  the  roles  and  procedures  necessary  to  implement 

(AC)  a  key  process  area.  Includes  practices  on  plans, 
procedures,  work  performed,  tracking,  and  corrective  action. 

Measurement  and  Describes  the  need  to  measure  the  process  and  analyze 

Analysis  (ME)  the  measurements.  Includes  examples  of  measurements. 

Verifying  Describes  the  steps  to  ensure  that  the  activities  are 

Implementation  performed  in  compliance  with  the  process  that  has  been 

(VE)  established.  Includes  practices  on  management  reviews 

and  audits. 


6 


CMU/SEI-94-TR-12 


2.4  Key  Practices 

Each  key  process  area  is  described  in  terms  of  the  key  practices  that  contribute  to  satisfying 
its  goals.  The  key  practices  describe  the  infrastructure  and  activities  that  contribute  most  to 
the  effective  implementation  and  institutionalization  of  the  key  process  area  and  are 
described  in  "Key  Practices  of  the  Capability  Maturity  Model,  Version  1.1"  [Paulk93b]. 
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3  The  ISO  9000  Series  of  Standards  for  Quality  Management 
Systems 

The  ISO  9000  series  of  standards  is  a  set  of  documents  dealing  with  quality  systems  that 
can  be  used  for  external  quality  assurance  purposes.  They  specify  quality  system 
requirements  for  use  where  a  contract  between  two  parties  requires  the  demonstration  of  a 
supplier's  capability  to  design  and  supply  a  product.  The  two  parties  could  be  an  external 
client  and  a  supplier,  or  both  could  be  internal,  e.g.,  marketing  and  engineering  groups  in  a 
company. 

ISO  9000,  "Quality  management  and  quality  assurance  standards  -  Guidelines  for  selection 
and  use,"  clarifies  the  distinctions  and  interrelationships  between  quality  concepts  and 
provides  guidelines  for  the  selection  and  use  of  a  series  of  international  standards  on  quality 
systems  that  can  be  used  for  internal  quality  management  purposes  (ISO  9004)  and  for 
external  quality  assurance  purposes  (ISO  9001,  9002,  and  9003).  The  quality  concepts 
addressed  by  these  standards  are: 

•  An  organization  should  achieve  and  sustain  the  quality  of  the  product  or  service 
produced  so  as  to  meet  continually  the  purchaser's  stated  or  implied  needs. 

•  An  organization  should  provide  confidence  to  its  own  management  that  the  intended 
quality  is  being  achieved  and  sustained. 

•  An  organization  should  provide  confidence  to  the  purchaser  that  the  intended  quality 
is  being,  or  will  be,  achieved  in  the  delivered  product  or  service  provided.  When 
contractually  required,  this  provision  of  confidence  may  involve  agreed 
demonstration  requirements. 

ISO  9001,  "Quality  systems  -  Model  for  quality  assurance  in  design/development, 
production,  installation,  and  servicing,"  is  for  use  when  conformance  to  specified 
requirements  is  to  be  assured  by  the  supplier  during  several  stages,  which  may  include 
design,  development,  production,  installation,  and  servicing.  Of  the  ISO  9000  series,  it  is 
the  standard  that  is  pertinent  to  software  development  and  maintenance.1 


1  There  are  several  other  standards  and  guidelines  in  the  ISO  9000  series,  including  ISO  9002,  ISO 
9003,  ISO  9004,  and  ISO  8402.  ISO  9002,  "Quality  systems  -  Model  for  quality  assurance  in 
production  and  installation,"  is  for  use  when  conformance  to  specified  requirements  is  to  be  assured 
by  the  supplier  during  production  and  installation.  ISO  9003,  "Quality  systems  -  Model  for  quality 
assurance  in  final  inspection  and  test,"  is  for  use  when  conformance  to  specified  requirements  is  to  be 
assured  by  the  supplier  solely  at  final  inspection  and  test.  ISO  9004,  “Quality  management  and 
quality  system  elements  -  Guidelines,”  describes  a  basic  set  of  elements  by  which  quality 
management  systems  can  be  developed  and  implemented.  ISO  8402,  "Quality  -  Vocabulary," 
defines  the  basic  and  fundamental  terms  relating  to  quality  concepts,  as  they  apply  to  products  and 
services,  for  the  preparation  and  use  of  quality  standards  and  for  mutual  understanding  in 
international  communications.  There  are  also  a  number  of  guides,  such  as  ISO  9000-3,  which  are 
additional  parts  to  standards  in  the  ISO  9000  series. 
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ISO  9000-3  provides  "Guidelines  for  the  application  of  ISO  9001  to  the  development,  supply, 
and  maintenance  of  software."  Annexes  A  and  B  in  ISO  9000-3  cross-reference  ISO  9000-3 
and  ISO  9001.  A  British  guide  for  applying  ISO  9001  to  software  [TickIT]  provides  additional 
information  on  using  ISO  9000-3  and  9001  in  the  software  arena. 

There  is  significant  room  for  interpretation  in  using  ISO  9001  in  the  software  world.  ISO 
9000-3  is  a  guide  to  interpreting  ISO  9001,  yet  the  many-to-many  relationships  between 
their  clauses  (shown  in  Appendix  E)  may  cause  the  reader  to  suspect  that  liberties  have 
been  taken  in  creating  this  guidance.  Many  might  conclude  that  there  are  extensions  to  ISO 
9001  in  ISO  9000-3;  e.g.,  the  purchaser’s  management  responsibility  (4.1.2),  joint  reviews 
(4.1.3),  separate  quality  plans  for  the  supplier  (4.2.3)  and  the  development  effort  (5.5),  the 
purchaser’s  requirements  specification  (5.3),  etc.  If  these  are  extensions,  they  seem  quite 
reasonable,  yet  this  leads  to  significant  consistency  and  reliability  issues  in  performing 
audits.  A  program  such  as  TickIT  can  support  consistency  and  reliability  by  imposing  strong 
training  and  auditor  qualification  requirements. 
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4  Mapping  ISO  9001  to  the  CMM 

There  are  20  clauses  in  ISO  9001 ,  which  are  summarized  and  compared  to  the  practices  in 
the  CMM  in  this  chapter.  The  comparison  is  based  on  an  analysis  of  ISO  9001 ,  ISO  9000-3, 
TickIT,  and  the  TickIT  training  materials  [Lloyd’s94].  There  is  judgment  involved  in  making 
this  comparison,  and  there  are  differences  in  interpretation  for  both  ISO  9001  and  the  CMM. 
ISO  9000-3  elaborates  significantly  on  ISO  9001,  and  TickIT  training  provides  significant 
guidance  on  how  to  interpret  both  ISO  9000-3  and  ISO  9001.  A  common  challenge  for 
CMM-based  appraisals  and  ISO  9001  certification  is  reliability  and  consistency  of 
assessments,  which  is  partially  addressed  by  strict  training  prerequisites  for  TickIT  auditors 
and  CMM  appraisers. 

Each  clause  in  ISO  9001  will  be  discussed  in  the  sections  of  this  chapter,  but  not  on  a 
sentence-for-sentence  basis.  A  detailed  mapping,  at  the  sentence  to  subpractice  level,  was 
performed  as  part  of  this  analysis  and  is  in  Appendix  A  of  this  report.  Appendix  B  contains  a 
similar  mapping  for  ISO  9000-3.  (A  less  detailed  discussion  of  the  relationship  between 
ISO  9001  and  the  CMM  was  published  in  [Paulk93c]). 

4.1  Management  Responsibility 

ISO  9001  requires  that  the  quality  policy  be  defined,  documented,  understood,  implemented, 
and  maintained;  that  responsibilities  and  authorities  for  all  personnel  specifying,  achieving, 
and  monitoring  quality  be  defined;  and  that  in-house  verification  resources  be  defined, 
trained,  and  funded.  A  designated  manager  ensures  that  the  quality  program  is 
implemented  and  maintained. 

In  the  CMM,  management  responsibility  for  quality  policy  and  verification  activities  is 
primarily  addressed  in  Software  Quality  Assurance,  although  Software  Project  Planning  and 
Software  Project  Tracking  and  Oversight  also  include  activities  that  identify  responsibility  for 
performing  all  project  roles. 

Management's  responsibility  at  both  the  senior  management  and  project  management 
levels  to  oversee  the  software  project  are  addressed  in  the  Verifying  Implementation 
common  feature.  More  generically,  leadership  issues  are  addressed  in  the  Commitment  to 
Perform  common  feature,  and  organizational  structure  and  resource  issues  are  addressed 
in  the  Ability  to  Perform  common  feature. 

One  could  argue  that  the  quality  policy  described  in  Software  Quality  Management  at  level  4 
is  also  addressed  by  this  clause,  but  the  level  4  quality  policy  is  quantitative.  ISO  9001  is 
somewhat  ambiguous  about  the  role  of  measurement  in  the  quality  management  system,  as 
is  discussed  for  clause  4.20,  but  ISO  9001  requires  that  quality  objectives  be  defined  and 
documented,  not  that  they  be  quantitative  (see  the  discussion  of  statistical  techniques  in 
section  4.20  of  this  report). 
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4.2  Quality  System 


ISO  9001  requires  that  a  documented  quality  system,  including  procedures  and  instructions, 
be  established.  ISO  9000-3  characterizes  this  quality  system  as  an  integrated  process 
throughout  the  entire  life  cycle. 

Quality  system  activities  are  primarily  addressed  in  the  CMM  in  Software  Quality  Assurance. 
The  procedures  that  would  be  used  are  distributed  throughout  the  key  process  areas  in  the 
various  Activities  Performed  practices. 

The  specific  procedures  and  standards  that  a  software  project  would  use  are  specified  in  the 
software  development  plan  described  in  Software  Project  Planning.  Compliance  with  these 
standards  and  procedures  is  assured  in  Software  Quality  Assurance  and  by  the  auditing 
practices  in  the  Verifying  Implementation  common  feature. 

Software  Product  Engineering  requires  that  the  software  engineering  tasks  be  defined, 
integrated,  and  consistently  performed,  which  corresponds  directly  to  the  ISO  9000-3 
guidance  for  interpreting  this  clause. 

One  arguable  correspondence  is  to  Organization  Process  Definition,  which  describes  a  set 
of  software  process  assets,  including  standards,  procedures,  and  process  descriptions,  at 
the  organization  level.  Addressing  Organization  Process  Definition  would  certainly 
contribute  to  achieving  this  clause,  but  the  standards  and  procedures  in  this  clause  of  ISO 
9001  could  be  addressed  strictly  at  the  project  level.  ISO  9001  discusses  the  supplier’s 
quality  system,  but  it  does  not  discuss  the  relationship  between  organizational  support  and 
project  implementation  as  the  CMM  does.  ISO  9000-3,  on  the  other  hand,  has  two  sections 
on  quality  planning:  clause  4.2.3  discusses  quality  planning  across  projects;  clause  5.5 
discusses  quality  planning  within  a  particular  development  effort. 

4.3  Contract  Review 

ISO  9001  requires  that  contracts  be  reviewed  to  determine  whether  the  requirements  are 
adequately  defined,  agree  with  the  bid,  and  can  be  implemented. 

Review  of  the  customer  requirements,  as  allocated  to  software,  is  described  in  the  CMM  in 
Requirements  Management.  The  software  organization  (supplier)  ensures  that  the  system 
requirements  allocated  to  software  are  documented  and  reviewed  and  that  missing  or 
ambiguous  requirements  are  clarified.  Since  the  CMM  is  constrained  to  the  software 
perspective,  the  customer  requirements  as  a  whole  are  beyond  the  scope  of  this  key 
process  area. 

Software  Project  Planning  describes  the  development  of  a  proposal,  a  statement  of  work, 
and  a  software  development  plan,  which  are  reviewed  by  the  software  engineering  group 
and  by  senior  management,  in  establishing  external  (contractual)  commitments. 

The  CMM  also  explicitly  addresses  the  acquisition  of  software  through  subcontracting  by  the 
software  organization,  as  described  in  Software  Subcontract  Management.  Contracts  may 
be  with  an  external  customer  or  with  a  subcontractor,  although  that  distinction  is  not 
explicitly  made  in  this  clause  of  ISO  9001. 
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4.4  Design  Control 

ISO  9001  requires  that  procedures  to  control  and  verify  the  design  be  established.  This 
includes  planning  design  activities,  identifying  inputs  and  outputs,  verifying  the  design,  and 
controlling  design  changes.  ISO  9000-3  elaborates  this  clause  with  clauses  on  the 
purchaser’s  requirements  specification  (5.3),  development  planning  (5.4),  quality  planning 
(5.5),  design  and  implementation  (5.6),  testing  and  validation  (5.7),  and  configuration 
management  (6.1). 

In  the  CMM,  the  life  cycle  activities  of  requirements  analysis,  design,  code,  and  test  are 
described  in  Software  Product  Engineering.  Planning  these  activities  is  described  in 
Software  Project  Planning.  Software  Project  Tracking  and  Oversight  describes  control  of 
these  life  cycle  activities,  and  Software  Configuration  Management  describes  configuration 
management  of  software  work  products  generated  by  these  activities. 

ISO  9001  requires  design  control  measures,  such  as  holding  and  recording  design  reviews 
and  qualification  tests.  ISO  9000-3  states  that  the  supplier  should  carry  out  reviews  to 
ensure  the  requirements  are  met  and  design  methods  are  correctly  carried  out.  Although 
design  control  measures  are  required,  the  use  of  the  phrasing  “such  as”  and  “should”  allows 
flexibility  in  what  specific  control  measures  are  used.  In  contrast,  the  CMM  calls  out  a 
specific  quality  control  mechanism:  peer  reviews.  The  Peer  Reviews  key  process  area 
supports  processes  throughout  the  life  cycle,  from  requirements  analysis  through  testing. 

TickIT  training  clarifies  this  issue  by  listing  three  examples  of  design  reviews:  Fagan 
inspections,  structured  walkthroughs,  and  peer  reviews  (in  the  sense  of  a  desk  check).  The 
training  also  states  that  “an  auditor  will  need  to  be  satisfied  from  the  procedures  and  records 
available  that  the  reviews  within  an  organization  are  satisfactory  considering  the  type  and 
criticality  of  the  project  under  review.”  [Lloyd’s94,  p.  17.10-1 1] 

More  formal,  quantitative  aspects  of  the  design  process  are  described  in  Software  Quality 
Management,  but  this  degree  of  formality  is  not  necessarily  required  by  ISO  9001 . 

4.5  Document  Control 

ISO  9001  requires  that  the  distribution  and  modification  of  documents  be  controlled. 

In  the  CMM,  the  configuration  management  practices  characterizing  document  control  are 
described  in  Software  Configuration  Management.  The  specific  procedures,  standards,  and 
other  documents  that  may  be  placed  under  configuration  management  in  the  CMM  are 
distributed  throughout  the  key  process  areas  in  the  various  Activities  Performed  practices. 
The  documentation  required  to  operate  and  maintain  the  system  is  specifically  called  out  in 
Activity  8  of  Software  Product  Engineering. 

4.6  Purchasing 

ISO  9001  requires  that  purchased  products  conform  to  their  specified  requirements.  This 
includes  the  assessment  of  potential  subcontractors  and  verification  of  purchased  products. 
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In  the  CMM,  this  is  addressed  in  Software  Subcontract  Management.  Evaluation  of 
subcontractors  is  described  in  Activity  2,  while  acceptance  testing  of  subcontracted  software 
is  addressed  in  Activity  12. 

4.7  Purchaser-Supplied  Product 

ISO  9001  requires  that  any  purchaser-supplied  material  be  verified  and  maintained.  ISO 
9000-3  discusses  this  clause  in  the  context  of  included  software  product  (6.8),  including 
commercial-off-the-shelf  software. 

Activity  6.3  in  Integrated  Software  Management  is  the  only  practice  in  the  CMM  describing 
the  use  of  purchased  software.  It  does  so  in  the  context  of  identifying  off-the-shelf  or 
reusable  software  as  part  of  planning.  Integration  of  off-the-shelf  and  reusable  software  is 
one  of  the  areas  where  the  CMM  is  weak.  This  clause,  especially  as  expanded  in  ISO 
9000-3,  cannot  be  considered  adequately  covered  by  the  CMM.  It  would  be  reasonable, 
though  not  sufficient,  to  apply  the  acceptance  testing  practice  for  subcontracted  software  in 
Activity  12  of  Software  Subcontract  Management  to  any  included  software  product. 

A  change  request  has  been  written  for  CMM  vl.1  to  incorporate  practices  in  Software 
Product  Engineering  that  address  product  evaluation  and  the  inclusion  of  off-the-shelf  and 
nondevelopmental  software. 

4.8  Product  Identification  and  Traceability 

ISO  9001  requires  that  the  product  be  identified  and  traceable  during  all  stages  of 
production,  delivery,  and  installation. 

The  CMM  covers  this  clause  primarily  in  Software  Configuration  Management,  but  Activity 
10  of  Software  Product  Engineering  states  the  specific  need  for  consistency  and  traceability 
between  software  work  products. 

4.9  Process  Control 

ISO  9001  requires  that  production  processes  be  defined  and  planned.  This  includes 
carrying  out  production  under  controlled  conditions,  according  to  documented  instructions. 
Special  processes  that  cannot  be  fully  verified  after  the  fact  are  continuously  monitored  and 
controlled.  ISO  9000-3  clauses  include  design  and  implementation  (5.6);  rules,  practices, 
and  conventions  (6.5);  and  tools  and  techniques  (6.6). 

The  procedures  defining  the  software  production  process  in  the  CMM  are  distributed 
throughout  the  key  process  areas  in  the  various  Activities  Performed  practices.  The  specific 
procedures  and  standards  that  would  be  used  are  specified  in  the  software  development 
plan,  as  described  in  Activity  7  of  Software  Project  Planning.  The  definition  and  integration 
of  software  “production”  processes  are  described  in  Software  Product  Engineering.  The 
tools  to  support  these  processes  are  called  out  in  Ability  1.2  of  Software  Product 
Engineering.  Process  assurance  is  specified  in  Activity  4  of  Software  Quality  Assurance 
(product  assurance  is  specified  in  Activity  5). 

Quantitative  Process  Management  addresses  the  quantitative  aspect  of  control  exemplified 
by  statistical  process  control,  but  would  typically  not  be  required  to  satisfy  this  clause. 
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It  is  also  worth  noting  that  clause  6.6  in  ISO  9000-3  states  that  “the  supplier  should  improve 
these  tools  and  techniques  as  required,”  which  corresponds  to  transitioning  new  technology 
into  the  organization  as  discussed  in  Technology  Change  Management. 

4.10  Inspection  and  Testing 

ISO  9001  requires  that  incoming  materials  be  inspected  or  verified  before  use  and  that  in- 
process  inspection  and  testing  be  performed.  Final  inspection  and  testing  are  performed 
prior  to  release  of  finished  product.  Records  of  inspection  and  test  are  kept. 

The  issues  surrounding  the  inspection  of  incoming  material  have  already  been  discussed  for 
clause  4.7.  The  CMM  describes  testing  in  Activities  5,  6,  and  7  in  Software  Product 
Engineering.  In-process  inspections  in  the  software  sense  are  addressed  in  Peer  Reviews. 

4.11  Inspection,  Measuring,  and  Test  Equipment 

ISO  9001  requires  that  equipment  used  to  demonstrate  conformance  be  controlled, 
calibrated,  and  maintained.  When  test  hardware  or  software  is  used,  it  is  checked  before 
use  and  rechecked  at  prescribed  intervals.  ISO  9000-3  clarifies  this  clause  with  clauses  on 
testing  and  validation  (5.7);  rules,  practices,  and  conventions  (6.5);  and  tools  and  techniques 
(6.6). 

This  clause  is  generically  addressed  in  the  CMM  under  the  testing  practices  in  Software 
Product  Engineering.  Test  software  is  specifically  called  out  in  Ability  1.2,  which  describes 
the  tools  that  support  testing. 

4.12  Inspection  and  Test  Status 

ISO  9001  requires  that  the  status  of  inspections  and  tests  be  maintained  for  items  as  they 
progress  through  various  processing  steps. 

This  clause  is  addressed  in  the  CMM  by  the  testing  practices  in  Software  Product 
Engineering  and  by  Activities  5  and  8  on  problem  reporting  and  configuration  status, 
respectively,  in  Software  Configuration  Management. 

4.13  Control  of  Nonconforming  Product 

ISO  9001  requires  that  nonconforming  product  be  controlled  to  prevent  inadvertent  use  or 
installation.  ISO  9000-3  maps  this  concept  to  clauses  on  design  and  implementation  (5.6); 
testing  and  validation  (5.7);  replication,  delivery,  and  installation  (5.9);  and  configuration 
management  (6.1). 

Design,  implementation,  testing,  and  validation  are  addressed  in  Software  Product 
Engineering.  In  Software  Configuration  Management,  Activity  8  addresses  the  status  of 
configuration  items,  which  would  include  the  status  of  items  that  contain  known  defects  not 
yet  fixed.  Installation  is  not  addressed  in  the  CMM,  as  is  discussed  for  clause  4.15. 

In  the  manufacturing  world  this  clause  is  important  because  it  is  sometimes  necessary  to 
build  products  using  components  that  do  not  conform  to  all  of  the  requirements.  When  such 
decisions  are  made,  the  resulting  nonconforming  products  must  be  carefully  controlled. 
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Similarly,  in  the  software  world,  a  system  may  sometimes  use  tools  or  reuse  software  that 
does  not  satisfy  all  of  the  pertinent  standards.  For  example,  reusing  FORTRAN  code  in  an 
Ada  program  may  be  cost-effective  if  the  FORTRAN  code  has  demonstrated  its  value  in 
previous  applications.  That  code,  however,  may  pose  a  significant  risk  to  the  Ada  system, 
and  the  risk  must  be  thoughtfully  managed. 

Nonconforming  product  is  not  specifically  addressed  in  the  CMM.  In  ISO  9000-3,  it 
essentially  disappears  among  a  number  of  related  processes  spanning  the  software  life 
cycle:  design  and  implementation  (5.6);  testing  and  validation  (5.7);  replication,  delivery, 
and  installation  (5.9);  and  configuration  management  (6.1). 

4.14  Corrective  Action 

ISO  9001  requires  that  the  causes  of  nonconforming  product  be  identified.  Potential  causes 
of  nonconforming  product  are  eliminated;  procedures  are  changed  resulting  from  corrective 
action.  ISO  9000-3  quotes  this  clause  verbatim,  with  no  elaboration. 

A  literal  reading  of  this  clause  would  imply  many  of  the  practices  in  Defect  Prevention. 
Based  upon  the  TickIT  Auditors’  Guide  [TickIT,  pp.  139-140]  and  discussions  with  ISO  9000 
auditors,  the  corrective  action  discussed  in  this  clause  is  driven  by  customer  complaints. 
The  software  engineering  group  should  look  at  field  defects,  analyze  why  they  occurred,  and 
take  corrective  action.  This  would  typically  occur  through  software  updates  and  patches 
distributed  to  the  fielded  software.  Under  this  interpretation,  an  appropriate  mapping  of  this 
clause  would  be  problem  reporting,  followed  with  controlled  maintenance  of  baselined  work 
products.  Problem  reporting  is  described  in  Software  Configuration  Management  in  the 
CMM. 

A  complementary  interpretation  described  in  TickIT  training  [Lloyd’s94,  section  23]  is  that 
the  corrective  action  is  to  address  noncompliances  identified  in  an  audit,  whether  external  or 
internal.  This  would  be  addressed  in  Software  Quality  Assurance  in  the  CMM. 

In  the  current  revision  cycle  for  ISO  9001 ,  the  draft  international  standard  includes  separate 
requirements  for  corrective  and  preventive  action.  Corrective  action  is  directed  toward 
eliminating  the  causes  of  actual  nonconformities,  and  preventive  action  is  directed  toward 
eliminating  the  causes  of  potential  nonconformities  [Durand93,  p.  27], 

This  is  a  controversial  issue  in  applying  ISO  9001  to  software.  Some  auditors  seem  to 
expect  a  defect  prevention  process  similar  to  that  which  is  found  in  the  manufacturing 
environment.  Others  only  require  addressing  user  problem  reports.  It  is  arguable  how 
much  of  the  in-process  causal  analysis  and  defect  prevention  described  in  Defect 
Prevention  is  necessary  to  satisfy  this  clause. 

4.15  Handling,  Storage,  Packaging,  and  Delivery 

ISO  9001  requires  that  procedures  for  handling,  storage,  packaging,  and  delivery  be 
established  and  maintained.  ISO  9000-3  maps  this  to  clauses  on  acceptance  (5.8)  and 
replication,  delivery,  and  installation  (5.9) 

Replication,  delivery,  and  installation  are  not  covered  in  the  CMM.  Acceptance  testing  is 
addressed  in  Activity  7  of  Software  Product  Engineering,  and  Activity  7  of  Software 
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Configuration  Management  describes  the  creation  and  release  of  software  products. 
Delivering  and  installing  the  product,  however,  is  not  described  in  the  CMM. 

A  change  request  has  been  written  for  CMM  vl.1  to  incorporate  a  practice  in  Software 
Product  Engineering  on  delivery  and  installation  of  the  software  product. 

4.16  Quality  Records 

ISO  9001  requires  that  quality  records  be  collected,  maintained,  and  dispositioned. 

The  practices  defining  the  quality  records  to  be  maintained  in  the  CMM  are  distributed 
throughout  the  key  process  areas  in  the  various  Activities  Performed  practices.  Specifically 
pertinent  to  this  clause  are  the  testing  and  peer  review  practices  in  Software  Product 
Engineering,  especially  the  collection  and  analysis  of  defect  data  in  Activity  9.  Problem 
reporting  is  addressed  by  Activity  5  in  Software  Configuration  Management,  and  the 
collection  of  peer  review  data  is  described  in  Activity  3  of  Peer  Reviews. 

4.17  Internal  Quality  Audits 

ISO  9001  requires  that  audits  be  planned  and  performed.  The  results  of  audits  are 
communicated  to  management,  and  any  deficiencies  found  are  corrected. 

The  auditing  process  is  described  in  Software  Quality  Assurance.  Specific  audits  in  the 
CMM  are  called  out  in  the  auditing  practices  of  the  Verifying  Implementation  common 
feature. 

4.18  Training 

ISO  9001  requires  that  training  needs  be  identified  and  that  training  be  provided,  since 
selected  tasks  may  require  qualified  personnel.  Records  of  training  are  maintained. 

Specific  training  needs  in  the  CMM  are  identified  in  the  training  and  orientation  practices  in 
the  Ability  to  Perform  common  feature.  The  general  training  infrastructure  is  described  in 
Training  Program,  including  maintaining  training  records  in  Activity  6. 

4.19  Servicing 

ISO  9001  requires  that  servicing  activities  be  performed  as  specified.  ISO  9000-3 
addresses  this  clause  as  maintenance  (5.10). 

Although  the  CMM  is  intended  to  be  applied  in  both  the  software  development  and 
maintenance  environments,  the  practices  in  the  CMM  do  not  directly  address  the  unique 
aspects  that  characterize  the  maintenance  environment.  Maintenance  is  embedded 
throughout  the  practices  of  the  CMM,  and  they  must  be  appropriately  interpreted  in  the 
development  or  maintenance  contexts. 

Maintenance  is  not,  therefore,  a  separate  process  in  the  CMM.  Change  requests  for  CMM 
vl.O  expressed  a  concern  about  using  the  CMM  for  maintenance  projects,  and  some 
wording  was  changed  for  CMM  vl.1  to  better  address  the  maintenance  environment.  We 
anticipate  that  this  will  remain  a  topic  of  discussion  as  we  provide  guidance  for  tailoring  the 
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CMM  to  different  environments,  such  as  maintenance,  and  begin  the  next  revision  cycle  for 
the  CMM. 

4.20  Statistical  Techniques 

ISO  9001  states  that,  where  appropriate,  adequate  statistical  techniques  are  identified  and 
used  to  verify  the  acceptability  of  process  capability  and  product  characteristics.  ISO  9000- 
3  simply  characterizes  this  clause  as  measurement  (6.4). 

The  practices  describing  measurement  in  the  CMM  are  distributed  throughout  the  key 
process  areas.  Product  measurement  is  typically  incorporated  into  the  various  Activities 
Performed  practices,  and  process  measurement  is  described  in  the  Measurement  and 
Analysis  common  feature. 

Activity  5  of  Organization  Process  Definition  describes  the  establishment  of  an  organization 
process  database  for  collecting  process  and  product  data.  This  database  is  maintained  at 
the  organization  level,  and  it  seems  likely  that  most  auditors  would  accept  project-level  data 
(as  described  in  the  project  management  key  process  areas  at  level  2)  to  satisfy  this  clause. 
At  least  a  few  auditors  do,  however,  require  an  organization-level  historical  database  and 
the  use  of  simple  statistical  control  charts. 

If  statistical  process  control  is  inferred  from  this  clause,  it  would  be  satisfied  by  Quantitative 
Process  Management  and  Software  Quality  Management.  Note,  however,  that  statistical 
techniques  are  used  "where  appropriate."  Some  auditors  look  for  use  of  any  statistical  tools, 
such  as  Pareto  analysis.  Other  auditors  are  satisfied  by  any  consistently  collected  and  used 
measurement  data.  There  is  a  significant  degree  of  interpretation  of  this  clause  by  auditors. 
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5  Contrasting  ISO  9001  and  the  CMM 

Clearly  there  is  a  strong  correlation  between  ISO  9001  and  the  CMM,  although  some  issues 
in  ISO  9001  are  not  covered  in  the  CMM,  and  some  issues  in  the  CMM  are  not  addressed  in 
ISO  9001.  The  levels  of  detail  differ  significantly:  chapter  4  in  ISO  9001  is  about  five  pages 
long;  sections  5,  6,  and  7  in  ISO  9000-3  comprise  about  1 1  pages;  and  the  CMM  is  over  500 
pages  long.  There  is  some  judgment  involved  in  deciding  the  exact  correspondence,  given 
the  different  levels  of  abstraction. 

The  clauses  in  ISO  9001  with  no  strong  relationships  to  the  CMM  key  process  areas,  and 
which  are  not  well  addressed  in  the  CMM,  are  purchaser-supplied  product  (4.7)  and 
handling,  storage,  packaging  and  delivery  (4.15).  The  clause  in  ISO  9001  that  is  addressed 
in  the  CMM  in  a  completely  distributed  fashion  is  servicing  (4.19).  The  clauses  in  ISO  9001 
for  which  the  exact  relationship  to  the  CMM  is  subject  to  significant  debate  are  corrective 
action  (4.14)  and  statistical  techniques  (4.20). 

The  biggest  difference,  however,  between  these  two  documents  is  the  emphasis  of  the 
CMM  on  continuous  process  improvement.  ISO  9001  addresses  the  minimum  criteria  for  an 
acceptable  quality  system.2  It  should  also  be  noted  that  the  CMM  focuses  strictly  on 
software,  while  ISO  9001  has  a  much  broader  scope:  hardware,  software,  processed 
materials,  and  services  [Marquardt91]. 

The  biggest  similarity  is  that  for  both  the  CMM  and  ISO  9001,  the  bottom  line  is  “Say  what 
you  do;  do  what  you  say.”  The  fundamental  premise  of  ISO  9001  is  that  every  important 
process  should  be  documented  and  every  deliverable  should  have  its  quality  checked 
through  a  quality  control  activity.  ISO  9001  requires  documentation  that  contains 
instructions  or  guidance  on  what  should  be  done  or  how  it  should  be  done.  The  CMM 
shares  this  emphasis  on  processes  that  are  documented  and  practiced  as  documented. 
Phrases  such  as  conducted  “according  to  a  documented  procedure”  and  following  “a  written 
organizational  policy”  characterize  the  key  process  areas  in  the  CMM. 

The  CMM  also  emphasizes  the  need  to  record  information  for  later  use  in  the  process  and 
for  improvement  of  the  process.  This  is  equivalent  to  the  quality  records  of  ISO  9001  that 
document  whether  or  not  the  required  quality  is  achieved  and  whether  or  not  the  quality 
system  operates  effectively  [TickIT,  p.  120]. 


2  This  statement  is  controversial  in  itself.  Some  members  of  the  international  standards  community 
maintain  that  if  you  read  ISO  9001  with  insight  (between  the  lines  so  to  speak),  it  does  address 
continuous  process  improvement.  There  is  faith  that  weaknesses  will  improve  over  time,  especially 
given  regular  surveillance  audits.  Corrective  action  can  be  interpreted  in  this  way,  although  that  may 
not  be  consistently  done  today.  This  will  undoubtedly  be  one  of  the  major  topics  for  the  next  revision 
cycle  for  ISO  9001 . 
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5.1  The  Need  for  Judgment 

When  making  a  more  detailed  comparison,  some  clauses  in  ISO  9001  are  easily  mapped  to 
their  equivalent  CMM  practices.  Other  relationships  map  in  a  many-to-many  fashion,  since 
the  two  documents  are  structured  differently.  For  example,  the  training  clause  (4.18)  in  ISO 
9001  maps  to  both  the  Training  Program  key  process  area  and  the  training  and  orientation 
practices  in  all  of  the  key  process  areas. 

Satisfying  a  key  process  area  depends  on  both  implementing  and  institutionalizing  the 
process.  Implementation  is  described  in  Activities  Performed;  institutionalization  is 
described  by  the  other  common  features. 

In  general,  practices  in  Commitment  to  Perform  (policies,  leadership)  can  be  considered 
addressed  under  ISO  9001’s  clause  on  management  responsibility  (4.1).  Practices  in  Ability 
to  Perform  (training,  resource  allocation,  tools,  and  organizational  structures)  can  be 
considered  addressed  under  ISO  9001 ’s  clauses  on  management  responsibility  (4.1)  and 
training  (4.18)  and  ISO  9000-3’s  clauses  on  rules,  practices,  and  conventions  (6.5)  and  tools 
and  techniques  (6.6).  Practices  in  Measurement  and  Analysis  can  be  considered  addressed 
under  ISO  9001 ’s  clauses  on  quality  records  (4.16)  and  statistical  techniques  (4.20)  and  ISO 
9000-3’s  clause  on  measurement  (6.4).  Practices  in  Verifying  Implementation  (senior 
management  oversight,  project  management  review,  and  audits)  can  be  considered 
addressed  under  ISO  9001 ’s  clauses  on  management  responsibility  (4.1)  and  quality  system 
(4.2). 

As  this  illustrates,  the  element  of  judgment  in  making  this  comparison  is  significant.  A 
preliminary  comparison  of  the  concepts  in  ISO  9001  and  the  CMM  would  suggest  that  an 
organization  with  an  ISO  9001  certificate  should  be  at  level  3  or  4.  In  reality,  there  are  level 
1  organizations  with  certificates.  One  reason  is  variability  of  interpretation;  it  is  absolutely 
clear  that  the  design  reviews  in  ISO  9001  correspond  directly  to  the  CMM’s  peer  reviews  if 
one  has  gone  through  the  TickIT  training.  Another  reason,  however,  is  that  achieving  level  2 
implies  mastering  the  level  2  key  process  areas.  Due  to  the  high  level  of  abstraction  in  ISO 
9001 ,  it  is  unclear  what  degree  of  sophistication  is  required  to  satisfy  an  auditor. 

5.2  The  Key  Process  Area  Profile  of  an  ISO  9001 -Compliant 
Organization 

What  would  be  the  maturity  level  of  an  ISO  9001 -compliant  organization,  if  it  implemented 
no  management  or  engineering  practices  not  called  out  by  ISO  9001?  This  is  an  extreme 
case,  but  it  gives  a  lower  bound  for  the  maturity  of  an  ISO  9001 -compliant  organization. 

Figure  1  illustrates  the  key  process  area  profile  of  an  ISO  9001 -compliant  organization, 
which  has  no  quality  practices  beyond  those  directly  called  out  in  ISO  9001.  Where  there 
may  be  a  matter  of  judgment  involved,  the  judgment  interpretation  is  also  illustrated  in  the 
profile.  The  dark  shading  indicates  practices  that  are  directly  addressed  by  ISO  9001  or  ISO 
9000-3;  the  light  shading  indicates  practices  that  may  be  addressed  depending  on  an 
interpretation  of  ISO  9001;  and  the  unshaded  areas  indicate  practices  not  addressed  by  ISO 
9001 .  Key  process  areas  may  be,  therefore,  partially  or  fully  satisfied,  satisfied  under  some 
interpretations,  or  not  satisfied.  The  size  of  the  bar  indicates  the  percentage  of  key 
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practices  within  the  key  process  area  that  are  addressed  in  either  ISO  9001  or  ISO  9000-3 
(see  the  appendices  for  a  detailed  listing  of  what  practices  are  addressed  where). 
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Process  Change  Management 


Technology  Change  Management 


Not 

Satisfied 
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Defect  Prevention 


Software  Quality  Management 
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Software  Product  Engineering 


Integrated  Software  Management 


Training  Program 


Organization  Process  Definition 


Organization  Process  Focus 
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Software  Quality  Assurance 
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Figure  1.  Key  process  area  profile  for  an  ISO  9001 -compliant  organization 
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Note  the  following  about  Figure  1 : 

•  Every  key  process  area  at  level  2  is  strongly  related  to  ISO  9001 . 

•  Every  key  process  area  is  at  least  weakly  related  to  ISO  9001 . 

Based  on  this  profile,  a  level  1  organization  according  to  the  CMM  could  be  certified  as 
compliant  with  ISO  9001.  That  organization  would,  however,  have  significant  process 
strengths  at  level  2  and  noticeable  strengths  at  level  3. 

Private  discussions  indicate  that  many  level  1  organizations  have  received  ISO  9001 
certificates,  although  surveillance  audits  may  identify  deficiencies  later  that  result  in  loss  of 
certification.  Other  organizations  have  identified  significant  problems  during  a  CMM-based 
assessment  that  had  not  surfaced  during  a  previous  ISO  9001  audit  [Coallier94],  Given  a 
reasonable  implementation  of  the  software  process,  however,  an  organization  that  obtains 
and  retains  ISO  9001  certification  should  be  close  to  level  2. 

If  an  organization  is  following  the  spirit  of  ISO  9001,  it  seems  probable  the  organization 
would  be  near  or  above  level  2.  The  level  1  organizations  with  certificates,  however, 
highlight  the  differences  between  the  spirit  and  the  letter  of  ISO  9001  (a  similar  concern 
exists  for  the  CMM).  This  observation  also  highlights  the  need  for  experienced, 
knowledgeable  auditors. 

Can  a  level  3  organization  be  considered  compliant  with  ISO  9001?  Even  a  level  3 
organization  would  need  to  ensure  that  the  delivery  and  installation  process  described  in 
clause  4.15  of  ISO  9001  is  adequately  addressed  and  should  consider  the  use  of  included 
software  product,  as  described  in  clause  6.8  of  ISO  9000-3.  This  would  be  comparatively 
trivial  for  a  level  3  organization;  even  a  level  2  organization  would  have  little  difficulty  in 
obtaining  ISO  9001  certification. 
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6  Conclusion 


Although  there  are  specific  issues  that  are  not  adequately  addressed  in  the  CMM,  in  general 
the  concerns  of  ISO  9001  are  encompassed  by  the  CMM.  The  converse  is  less  true.  ISO 
9001  describes  the  minimum  criteria  for  an  adequate  quality  management  system  rather 
than  process  improvement,  although  future  revisions  of  ISO  9001  may  address  this  concern. 
The  differences  are  sufficient  to  make  a  rote  mapping  impractical,  but  the  similarities  provide 
a  high  degree  of  overlap. 

Should  software  process  improvement  be  based  on  the  CMM,  with  perhaps  some 
extensions  for  ISO  9001  specific  concerns,  or  should  the  improvement  effort  focus  on 
certification  concerns?  A  market  may  require  ISO  9001  certification,  and  level  1 
organizations  would  certainly  profit  from  addressing  the  concerns  of  ISO  9001 .  It  is  also 
true  that  addressing  the  concerns  of  the  CMM  would  help  organizations  prepare  for  an  ISO 
9001  audit.  Although  either  document  could  be  used  to  structure  a  process  improvement 
program,  the  more  detailed  guidance  and  greater  breadth  provided  to  software 
organizations  by  the  CMM  suggest  that  it  is  the  better  choice  (a  perhaps  biased  answer). 

In  any  case,  building  competitive  advantage  should  be  focused  on  improvement,  not  on 
achieving  a  score,  whether  the  score  is  a  maturity  level  or  a  certificate.  We  would  advocate 
addressing  the  larger  context  encompassed  by  the  CMM,  but  even  then  there  is  a  need  to 
address  the  still  larger  business  context,  as  exemplified  by  Total  Quality  Management. 
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Appendix  A.  A  Detailed  Map  Between  ISO  9001  and 
the  CMM 

The  following  table  maps  ISO  9001  into  the  CMM  at  the  sentence  fragment  to  subpractice 
level.  This  mapping  goes  to  a  fine  level  of  detail  and  may  be  more  literal  than  is  useful  in 
truly  understanding  the  underlying  relationships  between  ISO  9001  and  the  CMM. 

The  column  labeled  “Clause”  contains  the  clause  and  subclause  numbers  from  ISO  9001 . 
The  column  labeled  “ISO  9001  Title”  lists  the  corresponding  title  of  the  clause  or  subclause. 

Since  ISO  9001  is  copyrighted,  we  cannot  include  the  actual  text  in  this  report. 
Relationships  are  mapped  at  the  paragraph  and  sentence  level,  which  are  listed  in  separate 
rows  of  this  table.  The  ISO  9001  clause  and  subclause  titles  help  identify  the  specific 
location  in  ISO  9001  of  a  relationship. 

The  column  labeled  “Basic  CMM  Practices”  contains  those  CMM  practices  for  which  the 
relationship  is  relatively  straightforward.  The  column  labeled  “CMM  Practices  by  Judgment” 
contains  those  practices  for  which  a  significant  degree  of  judgment  (and  consequent 
possibilities  of  inconsistency)  may  be  used  when  determining  a  reasonable  relationship 
between  the  clauses  in  ISO  9001  and  the  practices  in  the  CMM. 

Note  that  the  table  is  divided  into  clauses,  with  subclauses  also  identified.  This  may  make  it 
easier  to  locate  specific  correspondences,  even  in  the  absence  of  the  ISO  9001  text. 
Appendix  C  has  a  top-level  mapping  of  ISO  9001  to  the  CMM  at  the  clause  to  key  practice 
level. 
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The  abbreviations  for  key  process  areas  and  common  features  are  described  in  the  body  of 
this  report.  Certain  themes  run  throughout  each  key  process  area.  These  themes  can  be 
expressed  by  templates  in  each  common  feature.  Some  themes  map  generically  into  a 
particular  clause  in  ISO  9001,  e.g.,  the  training  practices  map  into  the  training  clause  (4.18) 
in  ISO  9001 .  Abbreviations  used  in  this  table  for  the  general  themes  in  the  CMM  include: 


.CO.  policy 
.CO. lead 
.AB. structure 

.AB. resource 
.AB.  train 
.AB. orient 
.AC.  plan 
.AC. procedure 

.AC. configure 


.ME. measure 
.  VE.  senior 

.  VE. project 

.  VE. audit 


The  policy  practices  in  Commitment  to  Perform 

The  leadership  practices  in  Commitment  to  Perform 

The  organizational  structure  (groups)  practices  in  Ability  to 

Perform 

The  resource  practices  in  Ability  to  Perform 

The  training  practices  in  Ability  to  Perform 

The  orientation  practices  in  Ability  to  Perform 

The  planning  practices  in  Activities  Performed 

The  practices  performed  according  to  a  documented 

procedure  in  Activities  Performed 

The  practices  containing  a  work  product  that  is  “managed 
and  controlled”  or  under  “configuration  management”  in 
Activities  Performed 

The  measurement  practices  in  Measurement  and  Analysis 
The  senior  management  review  practices  in  Verifying 
Implementation 

The  project  manager  review  practices  in  Verifying 
Implementation 

The  audit  practices  in  Verifying  Implementation 
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Clause 

ISO  9001  Title 

Basic  CMM 
Practices 

CMM  Practices 
by  Judgment 

4 

Quality  system  requirements 

4.1 

Management  responsibility 

4.1.1 

Quality  policy 

QA.CO.I 

.CO. policy 
QM.CO.1 

.CO. lead 

QA.AB.4 

4.1.2 

Organization 

4.1 .2.1 

Responsibility  and  authority 

PT.AB.2 

PT.CO.1 

QA.CO.I. 2 

QA.AB.1 

QA.AC.4 

QA.AC.7.1 

QA.AC.5 

CM.AC.5 

QA.AC.7.3 

QA.AC.7 

CM.AB.2 

4.1. 2.2 

Verification  resources  and  personnel 

PP.AC.7.3 

QA.AB.1 

QA.AB.2 

QA.AC.2.7 

QA.AC.3.1 

PE.AC.5 

PE.AC.6 

PE.AC.7 

PE.AC.3.6 

PE.AC.3.9 

Continued  on  the  next  page. 
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Continued  on  the  next  page. 
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Continued  on  the  next  page. 


CMU/SEI-94-TR-1 2 


Continued  on  the  next  page. 


CMU/SEI-94-TR-12 


in  un 


Continued  on  the  next  page. 


CMU/SEI-94-TR-1 2 


33 


Clause  ISO  9001  Title  Basic  CMM  CMM  Practices 


PE. AC. 2.1 1  CM.CO.1 

PE. AC. 3. 10  CM.AC.4 

PE.AC.4.5 _ CM.AC.8 

CM.AC.4. 2 
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QA.AC.4 

QA.AC.5 

PF.AC.1 

DP.AC.3 

PF.AC.3 

IM.AC.10 

DP.AC.4 

QA.AC.7 

PD.ME.1 

DP.ME.1 

DP.VE.1 

DP.VE.2 

DP.VE.3 

DP.AC.5 

DP.AC.6 

DP.AC.7 

DP.ME.1 

PC.AC.9 


Continued  on  the  next  page. 

CMU/SEI-94-TR-1 2 

37 

Clause 

ISO  9001  Title 

4.15 

Handling,  storage,  packaging  and 
delivery 

4.15.1 

Genera! 

4.15.2 

Handling 

4.15.3 

Storage 

Packaging 


4.15.5 _ Delivery _ 

4.16  Quality  records 


PT.AC.5 

PT.AC.6 

PT.AC.8 

PT.AC.9 

PT.AC.1 1 

PE.AC.9 

PR. AC. 3 


QA.AC.4  .VE. audit 


QA.AC.5 _ 

QA.AC.2 _ 

QA.AC.4 

QA.AC.5 

QA.AC.6 

QA.AC.7 _ 

QA.AC.6 _ 

QA.AC.7  I 

Continued  on  the  next  page. 
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Appendix  B.  A  Detailed  Map  Between  ISO  9000-3 
and  the  CMM 


The  following  table  maps  ISO  9000-3  into  the  CMM  at  the  sentence  fragment  to  subpractice 
level.  This  mapping  goes  to  a  fine  level  of  detail  and  may  be  more  literal  than  is  useful  in 
truly  understanding  the  underlying  relationships  between  ISO  9000-3  and  the  CMM. 

The  column  labeled  “Clause”  contains  the  clause  and  subclause  numbers  from  ISO  9000-3. 
The  column  labeled  “ISO  9000-3  Title”  lists  the  corresponding  title  of  the  clause  or 
subclause. 

Since  ISO  9000-3  is  copyrighted,  we  cannot  include  the  actual  text  in  this  report. 
Relationships  are  mapped  at  the  paragraph  and  sentence  level,  which  are  listed  in  separate 
rows  of  this  table.  The  ISO  9000-3  clause  and  subclause  titles  help  identify  the  specific 
location  in  ISO  9000-3  of  a  relationship. 

The  column  labeled  “Basic  CMM  Practices”  contains  those  CMM  practices  for  which  the 
relationship  is  relatively  straightforward.  The  column  labeled  “CMM  Practices  by  Judgment” 
contains  those  practices  for  which  a  significant  degree  of  judgment  (and  consequent 
possibilities  of  inconsistency)  may  be  used  when  determining  a  reasonable  relationship 
between  the  clauses  in  ISO  9000-3  and  the  practices  in  the  CMM. 

Note  that  the  table  is  divided  into  clauses,  with  subclauses  also  identified.  This  may  make  it 
easier  to  locate  specific  correspondences,  even  in  the  absence  of  the  ISO  9000-3  text. 
Appendix  E  has  a  cross-reference  between  ISO  9001  and  ISO  9000-3  taken  from  Annexes 
A  and  B  in  ISO  9000-3.  This  cross-reference  may  help  the  reader  use  Appendix  C,  which 
contains  a  top-level  mapping  of  ISO  9001  to  the  CMM  at  the  clause  to  key  practice  level. 
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The  abbreviations  for  key  process  areas  and  common  features  are  described  in  the  body  of 
this  report.  Certain  themes  run  throughout  each  key  process  area.  These  themes  can  be 
expressed  by  templates  in  each  common  feature.  Some  themes  map  generically  into  a 
particular  clause  in  ISO  9000-3,  e.g.,  the  training  practices  map  into  the  training  clause  (6.9) 
in  ISO  9000-3.  Abbreviations  used  in  this  table  for  the  general  themes  in  the  CMM  include: 


.CO.  policy 
.CO. lead 
.AB.  structure 

.AB.  resource 
.AB. train 
.AB. orient 
.AC.  plan 
.AC. procedure 

.AC. configure 


.ME. measure 
.  VE.  senior 

.  VE. project 

.  VE.audit 


The  policy  practices  in  Commitment  to  Perform 

The  leadership  practices  in  Commitment  to  Perform 

The  organizational  structure  (groups)  practices  in  Ability  to 

Perform 

The  resource  practices  in  Ability  to  Perform 

The  training  practices  in  Ability  to  Perform 

The  orientation  practices  in  Ability  to  Perform 

The  planning  practices  in  Activities  Performed 

The  practices  performed  according  to  a  documented 

procedure  in  Activities  Performed 

The  practices  containing  a  work  product  that  is  “managed 
and  controlled”  or  under  “configuration  management”  in 
Activities  Performed 

The  measurement  practices  in  Measurement  and  Analysis 
The  senior  management  review  practices  in  Verifying 
Implementation 

The  project  manager  review  practices  in  Verifying 
Implementation 

The  audit  practices  in  Verifying  Implementation 
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Quality  system  -  Framework 
Management  responsibility _ 

Supplier's  management  responsibility 
Quality  policy _ 


Organization _ 

Responsibility  and  authority 


Verification  resources  and  personnel 


Basic  CMM 
Practices 


QA.CO.I  .CO. policy 

_ QM.CO.1 

.CO.lead 

QA.AB.4 


PT.AB.2 _ PT.CO.1 

QA.CO.I  .2  QA.AB.1 

_ QA.AC.4 

QA.AC.7.1 _ QA.AC.5 

_  CM.AC.5 

QA.AC.7.3 


PP.AC.7.3  QA.AC.2.7 

QA.AB.1  QA.AC.3.1 

QA.AB.2 


PE.AC.5 

PE.AC.6 

PE.AC.7 

PE.AC.3.6 

PE.AC.3.9 


Continued  on  the  next  page. 
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CM  CM 


Clause  ISO  9000-3  Title  Basic  CMM  CMM  Practices 

_  Practices _ by  Judgment 


QA.AC.4  .VE.audit 

QA.AC.5 _ 

QA.AC.2 _ 

QA.AC.4 

QA.AC.5 

QA.AC.6 

QA.AC.7 _ 

QA.AC.6 _ 

QA.AC.7  | 

Continued  on  the  next  page. 
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CO  CO 
Lf>  LO 
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CM  I  CM 
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pi  pi 
cn  in 


PE. AC. 2. 10 
PE. AC. 3. 6 
PE. AC. 3. 9 
PE.AC.4.4 
PE.AC.5.6 
PE. AC. 6.2 
PE. AC. 7.2 
PE. AC. 7.4 
PR.AC.2 
PE.AC.5 
PE. AC. 6 
PE.AC.7 
PR.AC.2.6 
CM.AC.6.2 


Continued  on  the  next  page. 
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Basic  CMM  CMM  Practices 

Practices _ by  Judgment 


_  CM.AC.5 

PE.AC.9  CM.AC.8.1 

PR.AC.3 


Continued  on  the  next  page. 
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Clause 


ISO  9000-3  Title 


Testing 


5.8.2 


Validation 


Field  testing 


Acceptance 


General 


Acceptance  test  planning 


Basic  CMM 
Practices 


PE. AC. 5.3 


PE.AB.1 .2 
PE. AC. 7. 2 


PE. AC. 5.1 


PE. AC. 8. 5 
PE. AC. 8.7 


PE.AB.1. 1 
PE.AB.2 


PE. AC. 7.7 
PE. AC. 9 


PE. AC. 7. 6 


PE. AC. 5. 5 
PE. AC. 5.8 


PE. AC. 5.3 


PE. AC. 7 


PE. AC. 7 


PE. AC. 7.1 


CM. AC. 5 


PE. AC. 7. 5 


PE. AC. 7. 2 


PE. AC. 5.1 


RM.AB.2.3 


5.9 

Replication,  delivery,  and  installation 

5.9.1 

Replication 

5.9.2 

Delivery 

5.9.3 

Installation 

5.10 

Maintenance 

5.10.1 

General 

PE. AC. 8.7 


PP.AB.1 .1 


Continued  on  the  next  page. 


52 


CMU/SEI-94-TR-1 2 
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,10.4 _ Support  organization _ 

.1 0.5  Types  of  maintenance  activities 


Quality  system  -  Supporting  activities 
_ (not  phase  dependent) 

A _ Configuration  management _ 

.1.1 _ General _ 

_ CM.AC.3.5 _ 

_ CM.AC.4.2  PP.AC.8 

_ CM.AC.4.4 _ 

CM.AC.8 


CM.AC.2.1 _ 

CM.AC.2.1  CM.AB.3.2 

CM.AC.4.5 


Continued  on  the  next  page. 
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Clause 


ISO  9000-3  Title  Basic  CMM  CMM  Practices 


Practices _ by  Judgment 

SM.AC.9.3 

SM.AC.12.2 


PE.ME.1  .ME. measure 

PE.ME.2 _ 

PT.AC.8.1  QP.AC.5.6 


IM.AC.6.3 _ SM.AC.12 

SM.AC.3.1  SM.AC.1 

SM.AC.3.2 


SM.AC.3.3 _ 

1  SM.AC.1. 3 

Continued  on  the  next  page. 
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Practices 


CMM  Practices 
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Appendix  C.  A  Clause-Level  Map  Between  ISO 
9001,  ISO  9000-3,  and  the  CMM 

The  following  table  maps  ISO  9001  and  ISO  9000-3  into  the  CMM  at  the  clause  to  key 
practice  level.  ISO  9001  and  ISO  9000-3  are  combined  as  described  in  Appendix  E  of  this 
report. 

The  column  labeled  “Clause”  contains  the  clause  numbers  from  ISO  9001 .  The  column 
labeled  “ISO  9001  Title”  lists  the  corresponding  title  of  the  clause. 

The  column  labeled  “Basic  CMM  Practices”  contains  those  CMM  practices  for  which  the 
relationship  is  relatively  straightforward.  The  column  labeled  “CMM  Practices  by  Judgment” 
contains  those  practices  for  which  a  significant  degree  of  judgment  (and  consequent 
possibilities  of  inconsistency)  may  be  used  when  determining  a  reasonable  relationship 
between  the  clauses  in  ISO  9001  and  the  practices  in  the  CMM,  with  guidance  from  ISO 
9000-3. 

The  abbreviations  for  key  process  areas  and  common  features  are  described  in  the  body  of 
this  report.  Certain  themes  run  throughout  each  key  process  area.  These  themes  can  be 
expressed  by  templates  in  each  common  feature.  Some  themes  map  generically  into  a 
particular  clause,  e.g.,  the  training  practices  map  into  the  training  clause  (4.18)  in  ISO  9001. 
Abbreviations  used  in  this  table  for  the  general  themes  in  the  CMM  include: 


.CO.  policy 
.CO.  lead 
.AB.structure 

.AB.  resource 
.AB.  train 
.AB.  orient 
.AC.plan 
.AC.procedure 

.AC. configure 


.ME.measure 
.  VE.  senior 

.  VE.  project 

.  VE.audit 


The  policy  practices  in  Commitment  to  Perform 

The  leadership  practices  in  Commitment  to  Perform 

The  organizational  structure  (groups)  practices  in  Ability  to 

Perform 

The  resource  practices  in  Ability  to  Perform 

The  training  practices  in  Ability  to  Perform 

The  orientation  practices  in  Ability  to  Perform 

The  planning  practices  in  Activities  Performed 

The  practices  performed  according  to  a  documented 

procedure  in  Activities  Performed 

The  practices  containing  a  work  product  that  is  “managed 
and  controlled”  or  under  “configuration  management”  in 
Activities  Performed 

The  measurement  practices  in  Measurement  and  Analysis 
The  senior  management  review  practices  in  Verifying 
Implementation 

The  project  manager  review  practices  in  Verifying 
Implementation 

The  audit  practices  in  Verifying  Implementation 
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Clause  I  ISO  9001  Title 


Management  responsibility 


Basic  CMM 
Practices 


PT.AB.2 
PT.AC.13 
QA.CO.1 
QA.AB.1, 2 
QA.AC.4,  5 
QA.VE.1 , 3 
PE. AC. 7 


RM.AC.1 

PP.AC.14 

QA.CO.1 

QA.AC.1 

QA.VE.3 

PE.AB.1 

PE.AC.1 ,  10 


CMM 

Practices  by 
Judgment 


.CO. policy 

.CO.lead 

.VE.project 

.VE. senior 

.VE.audit 

RM.AB.2 

PP.AB.1 

PT.CO.1 

QA.AB.4 

QA.AC.7 

QA.ME.1 

CM.AB.2 

CM. AC. 5,  10 

CM.VE.3 

PF.AC.1 

PF.ME.1 

PE. AC. 5,  6 

IC.AC.1 

PR. AC. 2 

QM.CO.1 


.AC. procedure 
.ME. measure 
.VE.audit 
PP.AC.6,  7,  13 
PT.AB.2 
PT.AC.1 1 
QA.AC.7 
QA.VE.1 
CM. AC. 5 

PD. AC.1 
IM.AC.10 

PE. GO.1 
PE.AC.1, 9 
PE.ME.1 
PR.AB.1 
PR. AC. 3 
QM.AC.1, 2,  3 
DP.CO.1 


Continued  on  the  next  page. 
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Clause 

ISO  9001  Title 

Basic  CMM 
Practices 

CMM 

Practices  by 
Judgment 

4.3 

Contract  review 

RM.AB.2 

RM.AC.1, 3 

PP.AC.3,  14 

RM.ME.1 

PP.AC.1 , 4 

PP.ME.1 

PT.AC.3,  13 
SM.AC.1, 2,  3,6 
CM.AC.5 

IM.AC.1 1 

4.4 

Design  control 

RM.AB.2 

RM.AC.1, 3 

PP.AC.5,  7,  11,  12 
PT.AB.2 

PT.AC.2,  12,  13 
SM.AC.1 

QA.AC.1 , 2 

CM.AC.1,  2,  4,  5,  6, 
8,9 

PE.AB.1 , 2 

PE.AC.5,  6,  7,  9 
IC.AC.2,  3 

PR.AC.2,  3 

QM.AC.3 

.AB. structure 
.AB. resource 
.AC.plan 

PP.AC.8 

PT.AC.1,  5,  6,  7,  8, 
9,  10,  13 

QA.AC.4 

CM.AB.1 , 2 

CM.AC.7 

PD. AC.6 

IM.AC.1 1 

PE. AB.2 

PE.AC.2,  3,  10 
PE.ME.1 

IC.AC.4,  6,  7 
PR.AB.1, 2,  3 
PR.AC.2 

QM.AC.1 

4.5 

Document  control 

PT.AC.1 1 

CM.CO.1 

CM.AC.1, 4,  5,  6,  7, 
8,9 

.AC.procedure 

.AC.configure 

RM.AC.3 

PP.AC.8 

PT.AC.2,  4,  12 
CM.AB.1, 2 

CM.AC.2,  10 
CM.VE.3 

PE.AC.8,  10 

PE.ME.1 

IC.AC.7 

mm 

Purchasing 

SM.AC.2,  12 

SM.AC.1,  6,  8,  10 
PE.AC.7 

Continued  on  the  next  page. 
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Clause  I  ISO  9001  Title 


Basic  CMM 
Practices 


Purchaser-supplied  product 


Product  identification  and 
traceability 


Inspection  and  testing 


CM.AC.1 , 4,  5,  6,  8, 
9 


PP.AC.6,  7,  14 
PT.AC.12,  13 
QA.AC.4,  5 
PE.AC.1, 9 
PR. AC. 2,  3 


4.11  Inspection,  measuring,  and  test 

equipment 


Inspection  and  test  status 


QA.AC.4,  5 
PE.AB.2 
PE. AC. 5,  6,  7,  9 
PR. AC. 2 


PP.AC.14 
PE.AB.1 , 2 
PE.AC.1, 5,  6,  7,  9 


CM.AC.1, 4,  5,  6,  8, 
9 


CMM 

Practices  by 
Judgment 


SM.AC.12 
1C. AC. 5 


PP.AC.8 
CM.CO.1 
CM.AB.1 , 2 
CM. AC. 7 
PE. AC. 10 
PE.ME.1 


.AC. procedure 
.VE.audit 
QA.AC.1 , 2,  4 
CM. AC. 5 
PF.AC.1 

PD.  AC. 6 
TP.AC.6 

PE. AC.1 
IC.AC.4 
QP.AC.5 
TM.AC.7,  8 


PT.AC.9 
SM.AC.10,  12 
CM. AC. 5,  8 
1C. AC. 5 
PE.VE.3 
PR. AC. 3 


.AC. procedure 
CM.AC.5 
PF.AC.1 
TM.AC.7,  8 


PP.AC.8 
CM.AB.1, 2 
CM.AC.7 
PE. AC. 10 
PE.ME.1 
PR.AC.3 


Continued  on  the  next  page. 
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Clause 

ISO  9001  Title 

4.13 

Control  of  nonconforming  product 

4.14 

Corrective  action 

4.15 

Handling,  storage,  packaging,  and 
delivery 

4.16 

Quality  records 

4.17 

Internal  quality  audits 

4.18 

Training 

4.19  ! 

Servicing 

4.20 

Statistical  techniques 

Basic  CMM 
Practices 


CM.AC.1, 4,  5,  6,  8, 
9 

PE.AB.2 
PE.AC.5,  6,  7,  9 
PR.AC.2,  3 


QA.AC.2,  4,  5,  6,  7 


TP.AC.1, 2,  6 
PE.AB.2 


PT.ME.1 
PE.ME.1, 2 


CMM 

Practices  by 
Judgment 


PP.AC.8 
CM.AB.1, 2 
CM.AC.7 

PD. AC.6 
IM.AC.1 1 

PE. AC.5,  10 
PE.ME.1 
IC.AC.4 
PR.AC.2 


QA.AC.4,  5,  7 

PF.AC.1,  3 
PD.ME.1 
IM.AC.10 

DP.AC.3,  4,  5,  6,  7 
DP.ME.1 
DP.VE.1 , 2,  3 
PC.AC.9 


CM.AC.7,  9,  10 


.ME.measure 
PT.AC.5,  6,8,  9,  11 
QA.AC.8 
QA.ME.1 
CM.AC.5,  8 

PD. AC.5 

PE. AC.9 
PR.AC.3 


.VE. audit 


.AB.train 

.AB.orient 

TP.AC.5 


.ME.measure 
CM.AC.5 
PD.AC.5 
QP.AC.3,  5 
QM.AC.3 
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Appendix  D.  Coverage  of  CMM  Key  Practices  in  ISO 
9001 


The  following  table  views  the  relationship  between  the  CMM  key  practices  and  ISO  9001 
from  the  CMM  perspective.  Rather  than  reproduce  the  detailed  mapping  in  Appendices  A 
and  B,  it  simply  lists  whether  a  key  practice  is  covered  by  ISO  9001  and  was  used  to 
generate  the  key  process  area  profile  in  Figure  1. 


Key  Process  Area 

Activities  Covered 
Under  Basic 
Interpretation 

Activities  Covered 
By  Judgment  of 
Auditor 

Activities  Not 
Covered 

Level  2  KPAs 

Requirements 

Management 

1,3 

2 

Software  Project 
Planning 

3,  5,  6,  7,  11,  12,  14 

1,  4,  8,  13 

2,  9,  10,  15 

Software  Project 
Tracking  and 

Oversight 

2,  11,  12,  13 

1,  3,  4,  5,  6,  7,  8,  9, 
10 

Software 

Subcontract 

Management 

1.2,  3,12 

6,  8,  10 

4,  5,  7,  9,  11,  13 

Software  Quality 
Assurance 

1,2,  4,  5,  6,7 

8 

3 

Software 

Configuration 

Management 

1,2,  4,  5,  6,  7,  8,9 

10 

3 

Level  3  KPAs 

Organization 

Process  Focus 

1,2,3 

4,  5,  6,  7 

Organization 

Process  Definition 

1,5,6 

2,  3,4 

Training  Program 

1,2,6 

5 

3,4 

Integrated  Software 
Management 

3,  10,  11 

1,2,  4,  5,  6,7,  8,9 
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Key  Process  Area  Activities  Covered  Activities  Covered  Activities  Not 

Under  Basic  By  Judgment  of  Covered 

_ Interpretation _ Auditor _ 

Software  Product  1,5,6,7,9,10  2,3,8  4 

Engineering _ 

Intergroup  2,3  1,4, 5, 6, 7 

Coordination _ 

Peer  Reviews _ 2,  3  1 

Level  4  KPAs _ 

Quantitative  1 , 3, 5  2, 4, 6, 7 

Process 

Management _ 

Software  Quality  3  1,2  4,5 

Management _ 

Level  5  KPAs _ 

Defect  Prevention _ 1, 3,  4,  5,  6,  7 _ 218 _ 

Technology  Change  1 , 7,  8  2,  3,  4,  5,  6 

Management _ 

Process  Change  3,  9  1,2,4,  5,  6,  7,  8,  1 0 

Management _ 
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Appendix  E.  Cross-References  Between  ISO  9001 
and  ISO  9000-3 

Cross-reference  between  ISO  9001  and  ISO  9000-3 
from  Annex  B  in  ISO  9000-3 


Clause  in  ISO  9001 

Clause  in  ISO  9000-3 

4 

Quality  system  requirements 

4,  5,6 

4.1 

Management  responsibility 

4.1 

4.2 

Quality  system 

4.2,  5.5 

4.3 

Contract  review 

5.2,  5.3 

4.4 

Design  control 

5.3,  5.4,  5.5,  5.6,  5.7,  6 

4.5 

Document  control 

6.1, 6.2 

4.6 

Purchasing 

6.7 

4.7 

Purchaser-supplied  product 

6.8 

4.8 

Product  identification  and  traceability 

6.1 

4.9 

Process  control 

5.6,  6.5,  6.6 

4.10 

Inspection  and  testing 

5.7,  5.8,  5.9 

4.11 

Inspection,  measuring,  and  test  equipment 

5.7,  6.5,  6.6 

4.12 

Inspection  and  test  status 

6.1 

4.13 

Control  of  nonconforming  product 

5.6,  5.7,  5.9,  6.1 

4.14 

Corrective  action 

4.4 

4.15 

Handling,  storage,  packaging,  and  delivery 

5.8,  5.9 

4.16 

Quality  records 

6.3 

4.17 

Internal  quality  audits 

4.3 

4.18 

Training 

6.9 

4.19 

Servicing 

5.10 

4.20 

Statistical  techniques 

6.4 
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Cross-reference  between  ISO  9000-3  and  ISO  9001 
from  Annex  A  in  ISO  9000-3 


Clause  in  ISO  9000-3 

Clause  in  ISO  9001 

4.1 

Management  responsibility 

4.1 

4.2 

Quality  system 

4.2 

4.3 

Internal  quality  system  audits 

4.17 

4.4 

Corrective  action 

4.14 

5.1 

General  (added  to  Annex  A) 

none 

5.2 

Contract  review 

4.3 

5.3 

Purchaser’s  requirements  specification 

4.3,  4.4 

5.4 

Development  planning 

4.4 

5.5 

Quality  planning 

4.2,  4.4 

5.6 

Design  and  implementation 

4.4,  4.9,4.13 

5.7 

Testing  and  validation 

4.4,  4.10,  4.11,4.13 

5.8 

Acceptance 

4.10,  4.15 

5.9 

Replication,  delivery,  and  installation 

4.10,  4.13,  4.15 

5.10 

Maintenance 

4.13,  4.19 

6.1 

Configuration  management 

4.4,  4.5,  4.8,  4.12,  4.13 

6.2 

Document  control 

4.5 

6.3 

Quality  records 

4.16 

6.4 

Measurement 

4.20 

6.5 

Rules,  practices,  and  conventions 

4.9,  4.11 

6.6 

Tools  and  techniques 

4.9,  4.11 

6.7 

Purchasing 

4.6 

6.8 

Included  software  product 

4.7 

6.9 

Training 

4.18 
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UNLIMITED,  UNCLASSIFIED 
SECURITY  CLASSIFICATION  OF  THIS  PAGE 
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